Setting Up Embedded YubiKey Authentication
This is a quick guide to setting up Embedded YubiKey Authenticator with Pleasant Password Server.
Before you begin, make sure you:
- have a YubiKey USB device plugged in and within reach; and
- install any YubiKey software that came with the device.
Note: Remember which of your YubiKey's two configuration slots you are using with Password Server - using the
wrong slot will cause errors.
(Optional) Create a policy: to use Two-Factor Authentication
- Click User Policies - for More Detailed info and other methods to apply Policies
- Select From Users & Roles > Manage Policies
- Create a new Policy and set the applicable fields and flags.
Note: Setting Two Factor as Required will prevent the user from logging in without Two Factor Authentication when the Policy is applied to them. Thus make sure to complete Step B.
- Click Save and refresh.
Within the Manage Policies Window you should now see the Policy you just created
Set Policy: to use Two Factor Authentication (YubiKey Embedded Server)
- Select the Policy you wish to alter. Click the Policy name, not the [Edit] link.
Under the Two Factor Policy menu you should see Configurations. Under the Provider there should be a row for YubiKey Embedded Server (should be disabled). On the right of the row, select [Configure]:
- Click the Enabled checkbox
- You can also allow the user to disable the provider
- Since this Policy options needs individually configured data (for each user) these are the only global policy settings you can configure.
- Navigate to a user you would like to setup the Two Factor Authentication for via the User & Roles -> Manage Users menu.
- You will need to enter the YubiKey Information to allow it to be authenticated.
- Key Identity : this can be done by using the generate button on the YubiKey or entering manually
- Internal ID : obtained from the YubiKey software when writing to a YubiKey device
- Encryption Key : obtained from the YubiKey software when writing to a YubiKey device
Note: Some of the information above is obtained from a CSV file that is generated when
programming the YubiKey. This is outside of the scope of this guide; but the free software can be
obtained via https://www.yubico.com/support/downloads/
The device used in this example was programmed via Yubico OTP and a CSV was generated with the following info [your's will be different and this information will not work for your configuration]:
- The Key Identity is the first string of random characters on the second line of the CSV (starting with "vvni..."), the Internal ID is the next string of characters (starting with "85b...", The Encryption Key is the next string (starting with "3a18...". The strings you generate will have different characters but will be presented in the same order.
These strings of characters can just be copy and pasted into the applicable fields in the Users YubiKey Embedded Server Configuration Page, click save when complete
Authenticating via YubiKey
- Login as the user you configured Two Factor Authentication for.
After you enter the user name and password you will presented with another Verification Page
You can select the Token text box and use the YubiKey generation button and the key will be inserted.
Choosing Your Two Factor Authenticator
In the Event that more than one available Two Factor methods are enabled for a given User/Role, you will be prompted to select one of these for verifying your login.
- Whichever is chosen, the result of a successful verification will direct the user to the main Pleasant Password Server page.